Cloudflare HTTPS and WAF Update

Since we launched our integration with Cloudflare in 2012 we have seen thousands of our customers benefit from its CDN and the site security functionalities. Today we are happy to announce two improvements in the Cloudflare packages we provide. First, the SSL is now supported in the free plan of the service. Second, we have included a very cool security feature - the Cloudflare Web Application Firewall, in our Plus plan.

Free SSL support is now available in all plans

This has been the most requested feature by our Cloudflare users over the last year. We have been working actively to increase the SSL usage on our servers during the last months. That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. You only need to switch on the SSL option in our Cloudflare interface.

We recommend setting the SSL support to Flexible if you do not have SSL certificate issued for your domain, or to Full Strict if you have a SSL certificate issued. To learn more about the differences of the SSL settings you can refer to our Cloudflare tutorial.

Cloudflare WAF is now part of our Cloudflare Plus plan

Now our Cloudflare Plus users can benefit from the unique protection of the Cloudflare Web Application Firewall. Thus their websites will be protected by the rules added each day to react to all major recent vulnerabilities that affect applications such as WordPress, Magento, Drupal, PHP, Joomla, and other. Cloudflare WAF prevents automated attacks, SQL injection, XSS javascript injections, posts containing common spam words, cross-site scripting, etc. It provides protection against the Top 10 vulnerabilities identified by OWASP, leverages the collective intelligence of Cloudflare users, and also gives you the opportunity to supply your own WAF rules. It does not require any additional hardware or software installs. Being based on a really huge user base, Cloudflare WAF is an extremely effective protection tool that we highly recommend to any website owner.

You can switch on the WAF through your cPanel. To learn more about its settings visit our CloudFlare tutorial.

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

73 Comments

In that case, is there any need to have a paid plans of CF or no more? Besides, a quick question as i have thousand of non https links all around in my website. If i enable SSL i get errors, how do i deal with this as finding and fixing one by one is a big big job?

February 17, 2017 / 01:21Hristo PandjarovSiteGround Team

The Plus plan has many great features including the newly added Web Application Firewall which further improves the security of your website. In terms of SSL though, you get everything you need in the free version.

February 19, 2017 / 11:52Muhammed NagySiteGround Team

U can use search for and replace db tool if u are using MySQL and search for your domain name in http and replace it with ur domain name but in HTTPS
U should use paths not URLs

Hope you can handle more compliments for what SG is demonstrating, day-in and day-out: Continuous upgrades, enhancements, often at no additional cost!!! - SG continues to exceed my expectations in quality of service and especially in customer support!

Yes, it works great with the SuperCacher but the staging tool does not work since it requires a subdomain creation to operate properly.

February 17, 2017 / 05:23Scot BastonSiteGround Team

is the staging tool something that Siteground can fix in the near future with regards to ssl & cloudflare?

February 17, 2017 / 07:06Hristo PandjarovSiteGround Team

The way it works right now - no. Hopefully, the next major update of the staging will cover CloudFlare and other CDN users too.

March 20, 2017 / 11:40IanSiteGround Team

Here is some recent first hand feedback with this. It definitely does not work. I'm on a cloud plan with a wildcard ssl and cloudflare direct. I recently opened to ticket for support to create a staging site. I did what they instructed and it broke the live site. To senior support's credit the did quickly fix but could not figure out what the issue was. I have not tried a staging site again.

I wish this worked as it would make site changes so much easier.

March 21, 2017 / 05:46Hristo PandjarovSiteGround Team

To be honest, that's a bit of an edge case. I understand the SSL part but since usually staging copies are password protected and password I don't see why you need a CDN on it?

May 11, 2017 / 13:19AlexSiteGround Team

Hristo,

Why would you not create stage domains with your siteground.com domain? Like FlyWheel does?
Their staging works almost with no problems. One click and you have something like berry-puppet.getflywheel.com stage site. That automatically protected with Basic Access Authentication. And if I want I can edit subdomain.

May 11, 2017 / 23:49Hristo PandjarovSiteGround Team

We have different approach towards this. We're working on improving a lot our User Area and will definitelly take that suggestion into consideration.

Siteground really does the work for its clients, i have been dreaming of this feature, ever since Let's Encrypt was enabled on siteground cpanels. I just enabled SSL for all my account and its running perfectly. Now this gives me the confidence to go for cloud hosting and stay with siteground forever. The greatest support team ever worked with. Hoping for the next big thing.

This is great news. I have a lot of sites that I look after and had to choose either cloudflare or take advantage of the free let's encrypt certificates. Cloudflare always won but now I can have both. Many Thanks to the Siteground Team.

Yes! Thank you SG. This is the missing piece to making your one click services complete. I have been manually setting up free https through Cloudflare for my clients up till now, and this is going to be a MASSIVE time saver to have one click ease. Thanks for continuing to make your services and control panel BEST IN CLASS.

Thanks for the update!
I followed the steps and I am glad that my site now has a "safety icon" under the wp-admin page.
However, there is no "safety icon" under other pages. Do we need to do any other things to get this little safety icon? Thanks!

As excited as I was to hear about this feature, it would have been nice if there was some warning that activating CloudFlare with SSL is not as seamless as the tutorials would have you believe. After activating CloudFlare for our SSL site, none of our WordPress plugins are working and Google can't access our site. We contacted support, only to be told that it would take 48 hours for the changes to take effect, and that we shouldn't do any work on the site until the changes were in effect.

I definitely would have timed my activation of CloudFlare better had I been aware that it would halt all site work for 2 days. I really hope the CloudFlare functionality is worth the hassle.

Usually, all DNS changes require propagation time. However, if you simply enable the HTTPS for your site there should be NO propagation time whatsoever. To speed-up the process, you can manually clear the CloudFlare cache from the Settings tab in the tool.

February 18, 2017 / 16:43SarahSiteGround Team

This still doesn't solve the issue that activating CloudFlare with SSL disabled ALL the plugins on our site, and even after the propagation time, the plugins are still not registering.

February 20, 2017 / 01:03Hristo PandjarovSiteGround Team

Enabling or disabling CloudFlare cannot in any way disable or activate plugins on your WordPress site. It must be something else that went wrong with your site. Please, post a ticket in your Help Desk to get additional assistance on that matter.

I'm activated cloudflare last month on the plus package because ssl wasn't supported. Besides the firewall upgrade is there anything else I will be missing if I cancel the plus and go with the free version now?

The firewall upgrade is the only new feature coming to the Plus package. If the SSL was the only thing that made you get the Plus, you can switch back but I would recommend you to take a look at all the other features you get with it because they are really, really useful.

Being a relatively new customer to Siteground - last week moved my main site over from my previous host.

Previously this site was on SSL via a free Cloudflare account with their free issued certificate. During the transfer over this caused me issues. The site was encountering problems regards the certificate not working properly and issuing a security warning to visitors. I had to reinstall the site and point to Siteground instead of Cloudflare, meaning the site has reverted back to http.

The speed of my site has plummeted since the transfer but I'm working through the problems via GT Metrix etc and inserting relevant code into .htaccess and things are improving.

The website is for a local business based in the uk, the server location is in London whether the website is pointing to Siteground or Cloudflare. When I previously changed over to ssl I was undecided if it was the right thing to do, Yes Google say it helps ranking but then they also say speed matters and the transfer to ssl caused a 0.5 sec impact on speed due to the redirection with my previous host.

Going forward I'm thinking should I implement ssl again? The speed loss should be minimum with a better host and with the ability to use http/2 I might well see a faster site.

So to my question...

Which is the best route to achieve a fast, secure site?

1. Use the free SSL certificate issued from SG and keep site pointing to SG, ignoring Cloudflare.
2. Use the free SSL certificate issued from SG and point site at Cloudflare.
3. Point site at Cloudflare and use their free certificate?

I would recommend that you use the free Let's Encrypt certificate. It's free and automatically renewed so you will not forget about it and have problems in the future. Once you make sure your site works fine through https, you can enable CloudFlare. When you use a CDN you're using two certificates but that's handled automatically. First handles the connection between your SiteGround server and CloudFlare and the second one the connection between CloudFlare and your visitors.

I activated on my site. But there's no any change in PageSpeed Insights and GTmetrix scores. They are same as they were before.

February 21, 2017 / 10:48Hristo PandjarovSiteGround Team

It depends on the actual site how much it will be affected. In addition, note that having a CDN makes your site equally fast from all over the world and not only the particular continent where the data center is.

Yet, not in the free or plus version, just in the Business/Enterprise version?

March 2, 2017 / 02:36Hristo PandjarovSiteGround Team

It's in the free version, just set it to Full and use your certificate. However, endpoints will still be using the CF certificates. If you want to have one for them too, you need an enterprise acocunt with CloudFlare.

March 6, 2017 / 16:57MartijnSiteGround Team

What do you mean by end points?

March 7, 2017 / 08:23Hristo PandjarovSiteGround Team

There's one certificate handling the connection between our server and CloudFlare. Then, there's another, issued by CloudFlare for the connection between their servers across the world and your visitors. If you want the second one to be your certificate, you need to have an enterprise account with them.

Not sure on which end is a issue but al users should consider that activating Cloud Flare with Lets Encrypt certificate may set your site down for hours. CF not initialize SSL automatically. They reserved time is 24 hours for that service to begin.

If you activate CF for the first time, it's a normal propagation period that takes place. If you just enable SSL on a site working through CF, it should work right away, I've done it on tens of sites personally and didn't experience any downtime whatsoever. Manually cleaning the cache usually helps with such issues.

In the Cloudflare FAQ's and other places on their site they say that free plans don't support ssl on legacy browsers. Is this the case with Siteground's free or Plus Cloudlare plans? Will the older browsers work with ssl?

Thanks for the reminder about the SNI. Unfortunately, I must be concerned with IE8 support which is only partial for SNI (see caniuse). The site needs the widest possible availability in the poorest areas of the US. IE8 use is still significant in these areas.
Thanks for your help nudging me to the SNI caniuse.